Localboot products: automatic software distribution with opsi
Localboot products are all products that are installed by the 'opsi-client-agent' after the computer started the installed OS. This is in contrast to the netboot products described below Netboot products.
opsi standard products
The following localboot products are part of the default installation of opsi.
activate-win
Activate Windows:
-
by using different methods controlled by the properties
-
by using different license key sources
config-win10
Configures various Windows 10 settings such as lock screen, hibernation boot, sending telemetry and update behavior.
See also: microsoft-windows-policies.
-
allow_useractivity_publishing allows Microsoft to collect userctivity experiences
-
change_power_plan changes the power management profile.
-
config_updates allows you to change the source of the updates. The updates are then downloaded either directly from Microsoft servers, a local peer-to-peer network or a peer-to-peer network from the Internet. The 'disable' option is meanwhile moved into a separate property called 'disable_updates'.
-
defer_upgrade postpones updates and upgrades. Updates can be postponed by four weeks and upgrades by eight months. It should be noted that security-relevant updates are installed despite the 'defer' option. However, feature updates are not installed.
-
deferfeatureupdatesperiodindays Defines how long quality updates, also called windows upgrades, should be defered. The maximum is 365 days.
-
deferqualityupdatesperiodindays Defines how many days feature updates should be defered. The maximum is 29 days.
-
disable_advertising_id deactivates the so-called Advertising ID. This stores data about the browser history in order to display user-specific advertising.
-
disable_app_suggestion_in_startmenu deactivates suggested apps in the start menu.
-
disable_automatic_logon_on_reboot: disables an automatic logon after reboot.
-
disable_cortana deactivates the Cortana voice assistant. This collects various data about input and transfers this data to Microsoft servers.
-
disable_customer_experience disables collecting data related to application usage data.
-
disable_defender disables the anti-virus protection included with Windows 10 called 'Defender'.
-
disable_dosvc disbales a service used for delivery optimization.
-
disable_error_report deactivates sending error reports to Microsoft. This does not affect third party apps.
-
disable_fast_boot deactivates fast boot and ensures that the standard opsi-event gui_startup works properly.
-
disable_font_streaming ensures that fonts not installed on the system are streamed from the Internet.
-
disable_handwrite_sharing A special feature is the use of Windows 10 on tablet PCs. Here, data about handwriting is collected and sent to a Microsoft server.
-
disable_location_sensors disables collecting data about the current geolocation of the device.
-
disable_lock_screen disables the lock screen.
-
disable_mrt deactivates the use of the 'Malware Removal Tool', MRT for short. This service scans existing files on the computer’s hard drive at regular intervals and compares them with a list of potentially dangerous software.
-
disable_news_and_interest deactivates news and interest in the taskbar.
-
disable_onedrive_sync disables the OneDrive file synchronization.
-
disable_push_install disables the possibility to push install apps from the Microsoft store from another device with the same account.
-
disable_recent_apps disables the presentation of recently used apps in the start menu.
-
disable_sending_feedback makes it possible to influence the transfer of data to Microsoft in the event of application crashes.
-
disable_smbv1 disables the SMB v1 protocol.
-
disable_suggested_silent_app_installion deactivates a silent installation of suggested apps in the background without user interaction.
-
disable_telemetry makes it possible to limit the amount of data collected. A lot of data is transferred as standard. If the property is set to 'true', Windows is set so that only security-relevant data is transferred. This is the lowest level. This security level can only be set in the Windows 10 Enterprise and LTSB version. In the other versions of Windows 10, the next lowest level is applied, Basic.
-
disable_update_button disables the update button within the update settings. If set to false after it was set to true it might take a couple of hours to make the button usable again.
-
disable_update_service disables the windows update service and provides another possibility to block updates.
-
disable_updates blocks connections to Microsoft update sources when set to 'true'. Setting the property to 'false' enables these connections again.
-
disable_wifi_sense deactivates the service called 'Wifi Sense'. This service enables saved WLAN configurations to be shared with contacts.
-
flashplayer_autorun There is a security vulnerablility in Windows 10 with the Adobe Flashplayer. It is recommended to deactivate the autorun feature of the flash player. With 'false' the Flashplayer is no longer started.
-
hide_known_file_extensions hides known file extensions, e.g. txt.
-
local_wsus_available: Only affects Windows Updates: When 'true' a connection to a local WSUS server is possible.
-
minimize_recommendations deactivaes the usage of collected data to show recommendations on lockscreen.
-
no_new_app_install_notification: If this is set to 'true' this property deactivates notifications on app updates.
-
online_search Online results are also provided for every search using the integrated search bar in the taskbar. 'true' enables such an online search, 'false' disables it.
-
oobedisableprivacyexperience: Only affects Windows 10 1809 and newer. Deactivates OOBE DIsablePrivacyExperiene, if 'true'.
-
remove_edge_from_desktop removed the desktop shotcut for the old edge browser.
-
show_all_folder_in_navbar shows all folders in the navigation bar in the Widnows Explorer.
-
show_drive_letter_first shows the drive letter first.
-
show_this_pc_instead_of_quicklaunch opens this pc instead of a quick access.
-
sync_settings If you use Windows 10 in combination with a Microsoft account, it is possible to synchronize your settings with the current Microsoft account. If you set the property 'sync_settings' to 'false' this will be deactivated.
-
wlid_service controls the behaviour of the Windows Live ID Service.
[ProductProperty]
type: bool
name: disable_fast_boot
description: Disable Fastboot for proper opsi startup
default: True
[ProductProperty]
type: bool
name: disable_lock_screen
default: True
[ProductProperty]
type: bool
name: disable_telemetry
description: Disable telemetry data transmission
default: True
[ProductProperty]
type: bool
name: disable_cortana
description: Disable Cortana assistant
default: True
[ProductProperty]
type: bool
name: disable_customer_experience
description: Disable customer experience program
default: True
[ProductProperty]
type: bool
name: disable_mrt
description: Disable Malicious Software Removal Tool
default: True
[ProductProperty]
type: unicode
name: config_updates
multivalue: False
editable: False
description: Set Windows-Update behavior
values: ["AllowPeerToPeer", "LocalPeerToPeer", "MicrosoftOnly"]
default: ["MicrosoftOnly"]
[ProductProperty]
type: bool
name: disable_mac
description: Disable Microsoft Account communication
default: False
[ProductProperty]
type: bool
name: disable_advertising_id
description: Disable Microsoft Advertising ID
default: False
[ProductProperty]
type: bool
name: disable_updates
description: Disable Windows Updates
default: False
[ProductProperty]
type: bool
name: disable_defender
description: Disable Microsoft Windows Defender
default: False
[ProductProperty]
type: bool
name: disable_wifi_sense
description: Disable Wi-Fi Sense
default: False
[ProductProperty]
type: bool
name: disable_sending_feedback
description: Disable sending feedback and diagnostics
default: False
[ProductProperty]
type: bool
name: disable_font_streaming
description: Disable font streaming of not installed fonts
default: False
[ProductProperty]
type: bool
name: defer_upgrade
description: Defer Windows 10 Upgrade
default: True
[ProductProperty]
type: bool
name: flashplayer_autorun
description: Adobe Flashplayer: allow autorun?
default: False
[ProductProperty]
type: bool
name: location_sensors
description: Disable location and sensor detection
default: True
[ProductProperty]
type: bool
name: online_search
description: Disable online search during file or command search
default: True
[ProductProperty]
type: bool
name: disable_handwrite_sharing
description: Tablet-PC: Disable sharing of handriting information
default: True
[ProductProperty]
type: bool
name: sync_settings
description: Sync settings with AccountID
default: False
swaudit + hwaudit: Products for hard- and software-audit
The hwaudit and swaudit products are used for hardware and software inventory. The hardware data is collected via WMI and reported back to the server via the 'opsi-Webservice'. For the software inventory the information is taken from the registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)and reported back to the server via the 'opsi-Webservice'.
microsoft-windows-policies
Configures various Windows 10 settings.
Like config-win10 but the implementation is policy based.
The product documentation will be found inside the product at the path: documentation
.
opsi-auto-update
opsi-auto-update is a product to simplify the maintenance of the clients.
opsi-auto-update is not for clients running the WAN-extension. Use in this case: opsi-outdated-to-setup |
In essence, this product can be used to ensure that the installed products are up to date.
The product sets all installed products,
whose version is not identical to that on the server,
for the client to setup.
Properties for managing exceptions:
-
name:
products_to_exclude
-
description: (Blacklist) Which opsi product(s) should be excluded from update ?
List of products that should not be installed even if there is an update (such as windomain)
-
-
name:
products_to_exclude_by_regex
-
description: (Blacklist) Which opsi product(s) should be excluded from update (by regular expressions)?
List of regular expressions that fit products that should not be installed even if there is an update (such as windomain)
-
-
name:
products_to_include
-
description: (Whitelist) Which opsi product(s) should be checked for update ? ; If empty = all products
Here you can enter a list of products to which the update check should be limited. Products that are not in this list are also not considered when checking for updates. Exception: If the list is empty, all products are checked.
-
Properties for managing includes:
-
name:
products_to_run_always
-
description: Which opsi product(s) should be installed via every update ? (List will not be cleared after run)
List of products which are set to setup every time opsi-auto-update is run.
-
-
name:
failed_products_to_setup
-
description: if true this also sets all failed products to setup on all clients
If this is True, all products currently on failed are set to setup.
-
Properties for sequence control:
-
name:
shutdown_on_finish
-
description: if true we have a final shutdown if false we have no reboot / shutdown default: False
Should a shutdown me made after the product has finished?
-
Special properties for 'local-image / vhd-reset':
See also: opsi vhd reset
See also: opsi local image
-
name:
do_cleanup
-
description: If false: skip restore before update
This property is ignored if it is not a vhd or local image installation.
For a vhd installation, do_cleanup=true executesopsi-vhd-control
before the updates, thereby discarding all changes and restoring the saved state.
For a local-image installation, do_cleanup=true executesopsi-local-image-restore
before the updates, thereby discarding all changes and restoring the saved state.
In both cases, information about action requests is also discarded. In order to be able to add or remove products during a run ofopsi-auto-update
, there are the following two properties.
-
-
name:
products_to_install
-
description: Which opsi product(s) should be installed via update ? (List will be cleared after run)
List of products which are set to setup during the opsi-auto-update run. If the products have been installed successfully, they will be removed from this list.
-
-
name:
products_to_uninstall
-
description: Which opsi product(s) should be uninstalled via update ? (List will be cleared after run)
List of products which are set to uninstall during the opsi-auto-update run. If the products have been uninstalled successfully, they will be removed from this list.
-
-
name:
do_merge
-
description: If false: skip backup after update
This property is ignored if it is not a vhd or local image installation.
For a vhd installation, do_cleanup=true executesopsi-vhd-control
withupgrade=true
after the updates and thus all changes are saved.
For a local-image installation, do_cleanup=true executesopsi-local-image-backup
after the updates and thus all changes are saved.
-
Properties for debugging:
-
name:
disabled
This property is for debugging purposes.
If 'true', the product does not execute any actions.
Default = 'false' -
name:
rebootflag
Please do not change during the run. This should be '0' before starting. -
name:
stop_after_step
This property is for debugging purposes.
If not '0' then this is the number of reboots after which to stop. Default = '0'
The opsi-auto-update
product has a very low priority (-97),
which is even less than that of opsi-vhd-control.
The opsi-auto-update
product can be combined well with a cron job that executes opsi-wakeup-clients
.
(opsi-wakeup-clients is part of the opsi-utils package)
For details see here: opsi-wakeup-clients
On maintenance of the clients see also:
opsi-outdated-to-setup
working-window
opsi-cli
Client version of the command line tool opsi-cli
See also chapter: opsi-cli
opsi-client-agent
The opsi-client-agent is the client agent of opsi and is described in detail above: see chapter opsi-client-agent
To this group of opsi products also belong:
-
opsi-linux-client-agent (for Linux)
-
opsi-mac-client-agent (for macOS)
opsi-client-kiosk
With the opsi-client-kiosk (Software on Demand) opsi administrators may give their users access to install a range of software-products. These software products may be selected and installed user-driven without the administrator needing to do anything.
To this group of opsi products also belong:
-
l-opsi-client-kiosk (for Linux)
-
m-opsi-client-kiosk (for macOS)
See also chapter: opsi Software On Demand - opsi-client-kiosk
opsi-configed
The opsi graphical management interface packaged as application
Also provides the 'opsi-logviewer'.
For Windows, Linux and macOS.
See also chapter: opsiconfiged
opsi-script-test
Large collection of opsi-script self tests. This can be used as a sample collection for working calls of opsi-script commands.
opsi-script
The product opsi-script is a special case. It contains the current opsi-script. This does not have to be set to setup to update. Rather, part of the opsi-client-agent checks each time it is started whether a different version of the opsi-script is available and fetches it if this is the case.
opsi-setup-detector
The opsi-setup-detector is GUI Tool to create opsi products based on a installer file. It also may produce opsi template products.
See also chapter: opsi Setup Detector
opsi-uefi-netboot
Reboots an UEFI client into a network boot.
See also chapter: opsi with UEFI / GPT
opsi-wim-capture
Captures an existing Windows installation as image to a WIM file.
this topic also covers the products:
-
opsi-wim-delete
-
opsi-wim-info
See also chapter: opsi WIM Capture
opsi-win-driver-update
opsi-auto-update is not for clients running the WAN-extension |
The goal of this product is, to update the driver of existing windows machines from the standard netboot driver repository.
If you have new drivers for your machines, usually the first step is to integrate these drivers into the driver repository of the used netboot product.
How this is done is described in the opsi-windows-client-manual in the chapter:
Drivers automatically assigned to the clients using the inventory fields.
and in the User Interface chapter:
Automatic driver upload
By default, the product tries to use the 'byAudit' driver repository of the netboot product used for the OS installation of this machine. The driver repository of this netboot product will be used for this product.
The script tries to detected the used netbootproduct. You may use the property netbootproduct
to define the netboot product to use.
Using the property driver_path
you may also point to a totally different driver repository. Such a driver repository will not be filtered by <vendor>/<model>
.
The properties:
-
name:
driver_path
description: Path to the driver directory.
'auto'= from netboot product driver repo
default=auto -
name:
netbootproduct
description: name of the netboot product (where we can find the driver in driver_path auto mode).
'auto'= try to detect the used netboot product
default=auto -
name:
force_import_cert_from_sys
description: if true, installation of not correct signed drivers will be possible by extracting the certs from the .sys file and import them to the cert store
default=false -
name:
force_reinstallation
description: if true, we try to install the driver even if it seems to be installed in the repo version
default=false
The list of found path to drivers will be filtered by the following criteria:
All directories which contains one of the following pattern will be excluded:autorun.inf, WINXP, XP, WIN200, WIN2K, VISTA, WINPE On 64 Bit system all directories which contains one of the following pattern will be excluded: 32, x86, DrvBin32 ,WIN32, IA32, IA-32 On 32 Bit system all directories which contains one of the following pattern will be excluded: 64, x64 , DrvBin64, WIN64, x86-64, amd64 |
opsi-winpe
Product for easy generation of an opsi-winpe.
See also chapter: Creating a WinPE
opsipackagebuilder_wlm
The opsipackagebuilder is a opsi community GUI Tool to modify opsi products.
For Windows, Linux und Mac.
See also:
windows10-enablement
Product to move certain Windows 10/11 releases to a higher version by installing special hotfixes and without running a complete inplace upgrade.
Updates Windows 10 1903 to 1909 or Windows 10 2004, 20H1 and 21H1 to version 21H2
Dependencies and order
You can define the priority and dependencies for product actions.
Product priorities
Product priorities are used to move certain packages forwards or backwards in the order.
For example, it makes sense to place service packs and patches at the beginning of an installation and a software inventory at the end.
Product priorities are numbers between 100 (highest) and -100 (lowest).
No priority (0) is the default value.
=== Product dependencies
Dependencies can be defined between product packages.
These dependencies always apply to a specific action (e.g. setup
).
Different dependencies can be defined for different actions.
Product dependencies have the following attributes:
- productId
-
The product for which the dependency applies.
- productAction
-
The action for which the dependency applies (e.g.:
setup
,uninstall
) - requiredProductId
-
The product to which the dependency applies.
- requiredProductVersion
-
An exact product version of the dependent product (optional).
- requiredPackageVersion
-
An exact package version of the dependent product (optional).
- requiredInstallationStatus
-
The installation status that the dependent product must fulfill.
- requiredAction
-
An action to be set for the dependent product.
- requirementType
-
Type of dependency (
before
,after
or undefined).
With product dependencies it is possible to set an installation status of another product (requiredInstallationStatus
) as a condition.
When setting an action that defines such a dependency, an action is then also set for the dependent product if this is necessary to fulfill the condition.
Here is an example:
The software LibreOffice (product: libreoffice
) requires an installed Java Runtime Enviroment (product: jre
) for certain features.
This can be mapped with the following product dependency:
productId
: libreoffice
requiredProductId
: jre
requiredInstallationStatus
: installed
If the condition must be fulfilled before (before
) or after (after
) the action, the dependency type can be set accordingly.
Here is an example:
The Firefox add-on Kee Password Manager (product: firefox-addon-kee) requires an installed Firefox Browser (product: firefox) during installation.
This can be mapped with the following product dependency:
productId
: firefox-addon-kee
requiredProductId
: firefox
requiredInstallationStatus
: installed
requirementType
: before
The dependency types before and after should only be used if a sequence is actually absolutely necessary. Otherwise, a dependency without specifying a requirementType is sufficient. A less strict control of sequences can also be achieved via the product priorities.
|
Sequence of product actions
The sequence of product actions is calculated taking into account product dependencies and product priorities.
The product actions to be executed are grouped first.
All product actions that have dependencies of type after
or before
are grouped together.
Within these groups, the actions are sorted according to the product priorities (highest first) and then re-sorted based on the dependencies defined via before
and after
.
If the uninstall
action is set for a product, the priority for this product is negated.
The group takes on the priority of the contained product priorities.
The lowest priority is used if all contained product priorities are negative.
In any other case, the group adopts the highest priority contained.
The actions are then executed according to the priority of the group (highest first) and then according to the sorting within the group.
A product with a low priority can be pushed forward in the sequence if it is required by another product with a high priority as a dependency with the type before .
|
Defining product priorities and dependencies
Priorities and product dependencies belong to the metadata of an product. You will be asked for these when creating a product with the command opsi-newprod
.
This metadata is stored in the control file of the product and can be edited there. After a change in the control file, the product must be repacked and installed again.
See also the chapter: Priority and Dependencies
Integration of new software packages into the opsi software deployment.
Instructions for integrating your own software can be found in the chapter: Integrating custom software